Cybersecurity Ventures Names GreyCastle Security One of the Hottest Companies to Watch in 2016

For the second consecutive year, Cybersecurity Ventures has named GreyCastle Security to the Cybersecurity 500, which is the industry’s definitive list of cybersecurity companies to watch in 2016.

According to research published by Cybersecurity Ventures, the cybersecurity industry is cyber-500predicted to grow from $75 billion in 2015 to more than $170 billion by 2020. Cybersecurity Ventures’ comprehensive list recognizes industry innovators, from long-respected brands to smaller up-and-comers with a fresh approach to cybersecurity solutions. The complete list is available on Cybersecurity Ventures’ website.

“We evaluated thousands of potential companies for this listing and we are very excited to have GreyCastle Security once again on the Cybersecurity 500 list,” said Steve Morgan, founder and CEO of Cybersecurity Ventures. “The company continues to show extensive growth and we look forward to their future expansion in the cybersecurity market.”

GreyCastle Security focuses on managing the risks in people, processes and technology – as opposed to simply deploying the latest hardware and software solutions. The company was formed in 2011 by an experienced team of CISOs, ISOs, security specialists and operators who recognize the need for a systematic approach to cybersecurity.

“We’re honored to be recognized by Cybersecurity Ventures as one of the hottest companies in the industry,” said GreyCastle CEO Reg Harnish. “This validates our approach to helping companies manage their risk and provide the services needed to build an effective security program.”


Defending Yourself Against ATM Skimmers

Cyber theft at ATMs is a booming business for criminals looking to steal your cash – and your identity. A quick look at the headlines shows just how commonplace this is:

In Albany, NY, a man placed a card “skimmer” on an ATM at a bank. In Friendswood, Texas, two men placed a skimmer on a convenience store ATM. In Lexington, Kentucky, a woman placed devices on two ATMs at local banks. In Denison, Texas police arrested a juvenile after he was caught on surveillance video planting a skimming device. In Brooklyn and Queens, two scammers with skimmers installed devices on ATMs and got away with customers’ card information for three months.banner

A month’s worth of headlines? No. That was one day, Nov. 30.

The explosion in ATM skimmer thefts is happening because the devices have gone retail. No longer is this a small number of sophisticated crooks with homemade, crude devices. The devices we see now are perfect facsimiles of keypads or card swipes that in many cases fit right over the real device like a glove. Today’s skimmers are sold widely on the Internet, and any common criminal can get them.

In fact, skimmers are so widespread that it’s almost certain you will visit an ATM, gas pump or other point of sale device that has been compromised. New hardware and software is being designed every day to fight back, but with so many legacy machines out there, true security depends on you.

Here are a few tips you can take to protect yourself, your money and your identity when visiting an ATM:

Security Begins at Home

  • Make sure your PIN is random – birthdays and other personal information you’ve shared on social media are easily guessed. Be sure to change the PIN once per year, at a minimum.
  • Plan your transaction. Know exactly what you want to accomplish before you get there to avoid wasting time at the ATM. Check your balance at home, not at the ATM to avoid multiple, time-consuming withdrawals that could keep you there longer than necessary.
  • Select an ATM at a bank, in a well-lit area. Avoid ATMs in hotels, convenience stores and malls if possible. If you need to use them, look for those in high-traffic areas with security cameras nearby, or in line-of-sight to cashiers.

Security at the ATM

  • A few ATMs require unlocking a door with a card. If so, any card with a magnetic stripe will work. Do not use your ATM card or drivers’ license, but a library card or something with no value.
  • Before swiping or inserting your card into the ATM itself, check the device. Wiggle the card reader and the pin pad – they should not move at all. Look for anything else that looks out of place, attachments, unidentified boxes, cameras or other modifications. If you’re not sure, you can always pick another ATM.
  • Insert or swipe your card. Use your hand to cover the keypad when you enter your PIN. The idea is to block visibility from people behind you or cameras near the ATM.
  • “Get off the X.” Don’t count your money at the ATM – even if there is an error you can’t do anything about it there. Check your surroundings and maintain situational awareness. Move with a purpose.

Security Never Ends

  • Report any problems to the bank that owns the ATM.
  • Check your bank statement – it should match your receipts and ATM activity.
  • Remember that gas pumps, car washes and other payment devices are just as vulnerable to compromise as ATMs. Use the same tips – and some common sense.

Take these steps to keep yourself secure. In the modern age, relying on software and hardware is never enough. You are your own best security.

GreyCastle Security Named to Best Places to Work

3rd annua


GreyCastle Security is thrilled to announce it has been recognized as one of the Albany Business Review’s Best Places to Work in the Albany area. This highly competitive award, now in its 12th year, allows companies to showcase their positive work environments.

The winners are chosen through a survey software by Quantum Workplace of Omaha, which allows the Business Review to solicit opinions from a variety of company employees.

Award winners will be honored at an annual event on December 4 and this year’s theme will be “Companies that Rock – Vol. 2”.

Human Hacking in the World of Social Engineering; A Knight’s Tale

puppettWe used to hear that it was not a matter of if we’d be affected by a cyber attack, but when. Now, it’s not so much when we’ll
be affected, but how often and how impactful the attack will be.

In the final of our three part Cybersecurity Awareness webinar series with Annese & Associates, GreyCastle Security’s CEO Reg Harnish discussed why most security researchers have settled on the fact that humans pose the greatest risk when it comes to cyber crime.

Reg states that most organizations exist and survive in a state of continuous compromise. They haven’t finished responding to their current incident before the next one occurs. An incident can be as small as an infected laptop or something far more serious like a data breach. Statistics have proven that the frequency and intensity of cyber crime has increased over the last several years, and it will only get worse.

Why are humans so hackable?

When it comes down to it, most of the security decisions we make are based on emotion, like whether we choose to click on a malicious email and open ourself up to attack. Here are a few reasons why we’re so hackable:

  1. The Invincibility Theorem: When it comes to security, there is a widening disconnect between how vulnerable we feel we are and how vulnerable we actually are. We can feel secure even when we’re not and vice versa. Humans are not necessarily good at assessing true risk. We tend to overestimate the risk of things that we can’t control (i.e., a terror attack), and underestimate the risk of things we can (i.e., texting and driving).
  2. We’re a Social Species: This age of information sharing and big data has compounded the problem in cyber crime because there is so much information out there about us and our organizations. Cyber criminals target this low hanging fruit first. They are able to piece together bits of personal information leaked on social media networks that make it very easy to create a sense of familiarity and lower victims’ guards. When you think back to your grandparents, they may have been very hesitant to put credit card information online. Now, Millennials are not afraid to share personal information, location information, and other aspects of their lives on social media. The workforce is getting younger and Milennials have a different view on privacy and security which poses a new kind of risk to organizations.
  3. The Fear Factor: Hackers may capitalize on humans’ natural tendency to fear authority by sending out a phony email from a government or law enforcement agency. They may say that there is an issue with our taxes or that we were caught doing something wrong which triggers our fear instinct and may prompt us to comply with requests to divulge personal information.
  4. We Want to Help: If a FedEx worker showed up to your office with a big box in their hands and couldn’t open the access control door, most human beings would be inclined to hold the door open for them. That FedEx worker may be a hacker in disguise and they are now in your office building. Humans’ tendency to want to be helpful toward others can put us more at risk for being vulnerable to attack if we don’t know what to look out for.

How can we practice cyber self defense?

Cyber self defense is more about psychology than it is about technology and our biggest adversary may in fact be ourself. As an organization, here are five things you need to start doing now:

  1. Accept your Vulnerability: Recognize that you and your employees are vulnerable and potential targets for cyber attack. Perform social engineering exercises in-house and track employee performance. Were they able to identify threats and respond appropriately to them? By assessing your vulnerabilities, you will raise your guard and know which areas you’re weakest in.
  2. Think like an Attacker: On the other side of cyber crime sits a person. Not a robot. Not a computer. It’s a person who wants to steal your passwords, intellectual property, credit card information, and so on, to use or monetize for their own gain. Knowing that your employees are the primary security control between your data and your adversaries, it is crucial to educate them on what to look out for and how to respond accordingly. The more they understand how an attacker may strike, the better they will be able to prevent it.
  3. Train Relentlessly: If you look at your security budget and 90% of it is allocated to technology, then you’re missing the proverbial boat. Investing in an awareness training program is imperative. There are many ways to spread and reinforce key messages. Email reminders, internal campaigns, posters, live presentations, webinars, quizzes, and games are some examples. This is a long-term issue, and continuous, consistent messaging is necessary in order to change employees’ cognitive behavior toward security over time.
  4. Test Relentlessly: Penetration testing is the practice of simulating real attacks in your organization to determine which areas employees are weakest. Some ideas for how to conduct penetration tests are, drop flash drives in common areas and see is anyone uses them; call employees and ask for their passwords or credentials; send test phishing emails and monitor how many people click; have someone pretend to be part of the building’s IT staff and ask people to evacuate the area leaving their laptops behind. This data needs to be put back into your training program so you are training on the areas your organization is most vulnerable to.
  5. Have a Backup Plan: It’s important to manage your expectations and understand that you will not have 100% compliance when you start an employee awareness program. The goal should be a reduction in risks over time and continuous monitoring will help you understand if you are headed to your goal at a pace that feels reasonable. In the meantime, having incident response capability is a must. Expect failures, incidents, and breaches, and be prepared to respond.

Efficient x Effective x Engaging; The Importance of Measuring Your Awareness Program

TAPE-MEASURE-ARTIn the second of our three part Cybersecurity Awareness webinar series with Annese & Associates, GreyCastle Security‘s Chief Security Strategist Dan Didier shared important tips for measuring the effectiveness of your employee cybersecurity awareness program.

In most organizations today, employees are your weakest link when it comes to cybersecurity. This is why leaders need to bump cybersecurity awareness up to the top of their corporate strategy if reducing risk is a priority (which it should be).

Like anything, establishing a solid organizational cybersecurity program is a process, and a process can only be improved upon if it is measured.

Most organizations today fall under one of these two categories:

  • You struggle to find any real ROI of investing in a cybersecurity awareness program and have difficulty proving its value to senior leaders; so, you may have antivirus and firewalls in place, but that’s as far as your cybersecurity plan goes. Or…
  • Your organization just suffered a data breach and you are in knee-jerk reaction mode, ready to spend some serious dollars on intrusion protection software and other security measures.

Wherever you fall in the spectrum, having a program in place before you need it is key, and employee awareness and training is the crux. Its value can be proven if the right metrics are measured.

Here’s where to start:

Basic Metrics: In the first webinar, we talked about why and how to create an employee awareness program. Once you’ve implemented a process and started with awareness training, you’ll want to understand which training areas are most effective, which messages are resonating, which delivery models work best for your users, and where to focus your security budget next.

The most important question you want to ask is, are these efforts reducing cybersecurity related incidents? Why or why not? Consider the following.

  1. Compliance: Many organizations have legal compliance requirements that need to be met. What security regulations are you bound to adhere to?
  2. Attendance. Are users attending the required trainings? Record those numbers and start to identify trends. Are more people partaking in games and quizzes than instructor-led events? Use those trends to continue to modify and improve your program.
  3. Susceptibility. You’ll want to measure the number and types of incidents your organization is susceptible to. It’s recommended to establish a baseline before your awareness program kicks off so you can measure against that number after employee awareness has been raised.
  4. Behavior. Are users acting differently? Has their behavior changed? You will be able to see if key messages are being delivered and grasped based on your employees’ response to security related incidents after trainings have been held.
  5. Feedback. Communication is key. It’s important to give employees the opportunity to provide feedback to continually gauge how your program is doing. Surveys work great here; blogs, newsletters, posters, and lunch & learns are also effective ways to keep the momentum going after training and garner feedback.

Advanced Metrics: To be able to truly validate the time and energy you’re spending and secure the budget you’ll need to keep your program in place, look at:

  1. Areas of Weakness. Record the types of attacks your organization is susceptible to (i.e., text messages, email, phone), the content of those threats, the time of day they are most likely to occur, the attack path, the location… After a period of time, measure against the benchmark to understand which way you’re trending. Are you being impacted by more or less threats?
  2. People of Weakness. Monitor users who are consistently failing when it comes to cybersecurity and determine if there is a pattern – do they fall under a specific department or role? Consider third party vendors and contractors who may have access to some of your systems and applications. They may be a conduit for cyber attack and should be trained accordingly for the level of responsibility they hold.
  3. People of Strength. Identify the security champions in your organization and find out what makes them different. What is resonating with them? Determine how you can modify your training program to multiply those wins.

Other metrics to pay attention to are:

  • The number of phishing emails that have gone out versus how many have impacted the organization
  • Malicious websites visited
  • Infected computers
  • Lost devices
  • Physical security violations
  • Password strength / Poor password hygiene

The last webinar in this series will be held on October 13th at 10 am EST. Save your spot today!

Chariots, Coffee and Culture; Building an Awareness Program from the Ground Up

ConstructionThis morning GreyCastle Security and Annese & Associates held part one of our three-part  Cybersecurity Awareness webinar series that will run through the middle of October.

We’re All on the Treadmill… And We Can’t Get Off.

Undoubtedly, you have heard, read, or watched news coverage on the public data breaches that many large corporations have fallen victim to over the last several months. You yourself may have had to cut up a compromised plastic card or two after your credit union or favorite retail store had been hacked. The topic of cyber crime seems to be everywhere you turn these days yet it is still shrouded in mystery and increasing anxiety.

Reg Harnish stated that no matter who, when, or where companies have been impacted by cyber attack, they each have one thing in common. They started because of human error. But, this is not a user problem; this is a corporate problem. You can’t expect an employee to know how to handle something that they’ve never been educated on. Oganizations need to invest in cybersecurity awareness and training for employees if reducing risk is a key objective.

Here are the key points from this morning’s presentation but you may want to download the playback for additional context and explanation.

7 Ways to Create a Cybersecurity Awareness Program

  1. Assign Accountability: Once you make the decision to establish a cybersecurity awareness program, assign someone to own it. If you don’t put someone’s name on a task or goal, it’s less likely to get done. This person should understand and be passionate about increasing awareness and may be responsible for things like measuring progress, determining the frequency of communications, and crafting the training topics and content.Once you have a designated leader, it is important to identify champions within the organization that can evangelize the program and support the concept and approach. Find those people – maybe they are part of the HR Team, or the Training and Development Team, or the Network Administrator Team – and align them to your awareness program.
  2. Set Goals: It is unrealistic to expect that your employees will become awareness champions overnight, so it is important to set well defined goals that can be measured over time. For example, an intial goal may be to have a certain percentage of employees complete their awareness training in the first round of the program.A secondary goal may be to reduce the percentage of risk from the first quarter of the year to the second. In order to test against that goal, you could send a sample phishing email out to employees and see how many clicks the link gets.Once you’ve determined your goals, socialize them. Let your employees know what their expectations are. Part of the challenge will be finding the right balance between frequency and content.
  3. Identify Your Audience: Different departments and roles require different trainings. Additionally, human beings learn differently. It will be important to understand your audience and determine what will be the best way to get the message absorbed and retained.Some example of training sessions might be an in-person all day seminar, an hourly webinar once a month or once a quarter, or self-administered quizzes and learning modules. Understand how people will engage the best and leverage those mediums. It’s okay to experiment and see what resonates with your audience.
  4. Decide on your Training Topics: Are your audiences technically savvy? Are you required to conduct HIPPA, PCI, or other training initiatives? What areas of security are people weakest in? If people are more susceptible to Dropbox attacks vs. FedEx, then frame trainings around the areas people need the most education on.
  5. Set a Baseline: Conduct tests to determine your audience’s skill-set before the program starts, and compare it later.If 60% of employees click on that phishing link the first time, compare that percentage after they have experienced the training. You want to see the trend toward behavioral change improve on average, over time.
  6. Conduct the Initial Training: Executing the initial training, by whichever medium you choose to leverage, is really about connecting with your audience in the right way. You want be careful who you put in front of your audience and make sure to enlist a speaker who understands the human condition, understands behavioral psychology, and can mix humor with meaningful information that leaves your employees feeling engaged, informed, and inspired to act.

    Shameless Plug Alert: Part II of this webinar series will focus on how to build good content for the training, so save your spot now!

  7. Collect Feedback: Once the initial awareness training has concluded, this step is very important. Send out a simple survey to gather feedback from your audience, then integrate it into your next event. You should always be thinking, ‘how can I make this better next time?’.The formula is not an exact science. You need to make sure you’re critically reviewing that feedback and pumping it back into your program to enhance it.

Closing Thoughts:

Remember, an effective program doesn’t cost any more than an ineffective program; so, if you’re going to engage in employee cyber training, you may as well get it right.

Unfortunately, this issue is not going away. With companies adding new employees to their team, acquiring firms, relocating building spaces, and updating applications and networks on the regular, cybersecurity awareness is a topic that remains ever-relevant.

Ensuring that your employees are educated on what to do (and what not to do) to keep your corporate assets safe is a cost of doing business. It may sound overwhelming at first, but it is achievable if you go about it the right way.

GreyCastle Security Named to Cybersecurity 500 as Hot Company to Watch in 2015

Troy, NY – April, 2015 – GreyCastle Security, a leading provider of cybersecurity consulting services, announced it has been listed by Cybersecurity Ventures on the Cybersecurity 500, a directory of leading cybersecurity companies compiled for IT security decision makers.

cyber-500“We selected thousands of potential companies for inclusion in the Cybersecurity 500, by soliciting feedback from CISOs and end-user security practitioners, researching hundreds of Cybersecurity events on the Cybersecurity Calendar, and researching dozens of Cybersecurity news sources that we follow,” said Steve Morgan, founder and CEO of Cybersecurity Ventures.

GreyCastle Security has experienced 3 consecutive years of record-breaking growth in all aspects of their business including 220% sales growth, 200% growth in employees and 500% growth in net income, but unlike most awards in the industry, the CyberSecurity 500 does not take revenues, number of employees, or expected annual growth into consideration for inclusion on the list. Ranking is instead based upon various aspects of the company, including:

  • Customer Base
  • Feedback from CISO’s and Decision Makers
  • Feedback from IT Security Evaluators & Recommenders
  • Company Growth
  • Demos and Presentations at Conferences
  • Corporate Marketing and Branding
  • Media Coverage
  • Notable Implementations

“We are extremely honored to be included on this elite list of companies” said Reg Harnish, CEO of GreyCastle Security. “Cybersecurity is a huge and growing concern for businesses in every industry. GreyCastle Security is committed to helping organizations understand and mitigate cybersecurity risks” said Reg Harnish.  Harnish doesn’t expect to see GreyCastle’s growth slow down even remotely in the next few years. With office expansions, human capital and sales all on track to double again in 2015 we can expect to see big things from this innovative information security consulting firm.


Safe Shopping

Top Online Shopping Safety Tips

  1. Only shop at reputable online retailers.
  2. Use your credit card instead of your debit card – your credit card offers more protection if it’s compromised.
  3. Check out as a guest if possible – why store information online if you don’t have to?
  4. Check for HTTPs, the lock icon and safe shopping certificates before providing sensitive information.
  5. Check your bank and credit card statements regularly!

For more tips on safe shopping this holiday season watch here:



A critical flaw in OpenSSL’s cryptographic libraries known as heartbleed, has left approximately two-thirds of the internet’s web servers vulnerable to attacks that can result in the decryption of cryptographic keys, protected content (such as usernames and passwords), andheart other data that relies on SSL/TLS encryption.

OpenSSL is used to secure websites, email, instant messaging, VPNs, and many other forms of data. Without any prior knowledge (such as a given username or password), attackers are able to access privileged information on vulnerable systems. Nearly every internet user is expected to have at least some of their data vulnerable to these attacks.

OpenSSL is most commonly used in Apache and nginx web servers, but can also be found on Debian Wheezy, Ubuntu, CentOS, FreeBSD, OpenBSD, OpenSUSE and others.


It is recommended that all organizations do the following:

1. Identify, through vulnerability scanning or other means, any instances of OpenSSL versions 1.0.1 or 1.0.2 (beta).

2. Apply patch(es) to affected systems, issue new security keys, and revoke their old ones.

3. For systems where patches cannot be applied, consider other controls to compensate for the vulnerability.

March Madness

He shoots! He scores! While that phrase may be coming out of the mouths of excited fans this March as they watch their favorite team advance to the “Sweet 16”, hackers might be saying the same things as you advance in their own bracket.laptop_basketball[1]
With numerous online betting and bracket sites available, as well as nonstop search queries for the latest team updates, it’s the perfect opportunity for hackers to get a slam dunk, so follow these tips to enjoy the tournament while staying secure.
1. Stick to Safe Sites
Cybercriminals are fully aware that fans are constantly checking their team’s latest stats so in turn have created malicious links and sites that look like legitimate websites, but are infected with malware. Stick to well-known and reputable websites for your basketball updates.
2. Practice Safe Streaming
While you may be eager to download any advertised live streaming of the games while you’re on the go, don’t download from unknown sites, you could risk a whole lot more than missing the last few minutes of the game.
3. Apps Can Be Traps
While you may feel safer downloading an app on your phone than live streaming or going to an unknown website, don’t be fooled. Apps can be just as dangerous, if precaution isn’t taken. Never use “jailbroken” apps and always check the app store rating and read reviews before downloading.
4. Be Wary Of Wiring
If you’re using your personal bank account for transferring bets never check your account while using a public wireless network, as these can be a slam dunk way for hackers to easily get access to your account.